Linux Confidential Computing Development
 help / color / mirror / Atom feed
From: Peter Fang <peter.fang@intel.com>
To: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
Cc: "seanjc@google.com" <seanjc@google.com>,
	"djbw@kernel.org" <djbw@kernel.org>,
	"kvm@vger.kernel.org" <kvm@vger.kernel.org>,
	"linux-coco@lists.linux.dev" <linux-coco@lists.linux.dev>,
	"Li, Xiaoyao" <xiaoyao.li@intel.com>,
	"Hansen, Dave" <dave.hansen@intel.com>,
	"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>,
	"baolu.lu@linux.intel.com" <baolu.lu@linux.intel.com>,
	"Hunter, Adrian" <adrian.hunter@intel.com>,
	"kas@kernel.org" <kas@kernel.org>,
	"tony.lindgren@linux.intel.com" <tony.lindgren@linux.intel.com>,
	"Xu, Yilun" <yilun.xu@intel.com>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"Mehta, Sohil" <sohil.mehta@intel.com>,
	"Duan, Zhenzhong" <zhenzhong.duan@intel.com>,
	"Maloor, Kishen" <kishen.maloor@intel.com>,
	"yilun.xu@linux.intel.com" <yilun.xu@linux.intel.com>,
	"x86@kernel.org" <x86@kernel.org>
Subject: Re: [PATCH v2 16/17] KVM: TDX: Add in-kernel Quote generation
Date: Fri, 3 Jul 2026 22:43:42 -0700	[thread overview]
Message-ID: <20260704054342.GB2169894@pedri> (raw)
In-Reply-To: <9df36c49e6be69dd9eece71f70a404a84b1563ab.camel@intel.com>

On Wed, Jul 01, 2026 at 11:45:53AM -0700, Edgecombe, Rick P wrote:
> On Wed, 2026-07-01 at 10:25 -0700, Sean Christopherson wrote:
> > > > That is a good question. The answer is partly historical reasons, but I
> > > > think the pros/cons don’t really move the needle too much.
> > > > 
> > > > The main benefit of doing it with the host in the loop is that the guest
> > > > side TDVMCALL quoting interface can stay the same. There is also a wrinkle
> > > > in that there is a limited HW resource involved in the quoting,
> > 
> > What is this magical resource?
> 
> It's a HW crypto thing. I'll let Peter explain more.

It's called S3M (Secured Startup Services). There was once a public
document about it, but it was removed for some reason. It basically
provides a number of boot and security services through dedicated HW.
Attestation is one of them. This is part of our plan to develop new
attestation schemes without using SGX.

There was a lot of internal debate about how this HW should be managed.
We decided to let the TDX module handle it and sort of hide it from the
host kernel and only expose it as SEAMCALLs. It however impacted how the
quoting SEAMCALLs look, so apologies for not calling out these factors.

> 
> > 
> > > > so we want to do these operations one at a time. Having a mutex on the
> > > > host is the KISS way of accomplishing some level of fairness for DOS
> > > > prevention.
> > 
> > At the risk of unintentionally causing effecitvely DoS by introducing a
> > system-wide lock.
> 
> The DoS that people are interested in trying to prevent is a TD getting starved
> of quotes forever. So the lock is supposed to give some eventual fairness.
> Eventually the guest gets its quote even if it has to wait.
> 
> If instead contention throws a BUSY code to the guest, the guest spins trying.
> That wouldn't have the guarantees.
> 
> So I think the two options are: have some lock in the TDX module, or have a lock
> of some sort in the host. I think actually a waiting lock in the TDX module is
> possible. But I think there are tradeoffs besides where the extra code is. If
> it's in Linux we get a lot more control, lockdep, etc.
> 
> BTW the "historical reasons" part I mentioned involves a past effort to create
> configurable host controlled policies around managing these resources. So part
> of the simplification is doing a simple eventually fair global lock instead of
> something more complicated.

Yeah my bad for not including a lot more background. There were several
design aspects that influenced this implementation. I'll do a better job
of explaining them in the next version, but basically:

  1. Performance requirements: For this first implementation, the
     priority is to not starve a legit guest from getting a quote, even
     when there's a malicious guest DoSing the host. A mutex is sort of
     a "fair enough queue" for this problem. A guest's authenticity can
     only be verified after the quote is generated.

  2. HW limitation: The TDX module implements different attestation
     schemes, some of which use the S3M during TDH.QUOTE.GET. This
     limits the amount of concurrency this SEAMCALL supports and is also
     part of why we chose a mutex for TDH.QUOTE.GET. (The shared buffer
     in core TDX doesn't seem great, so I will improve it.)

  3. Host policies: Preserving the GetQuote GHCI also allows the host to
     participate in the quoting process, e.g. add host-controlled
     policies or fetch host-side quote information. It's a bit similar
     to SEV-SNP's KVM_EXIT_SNP_REQ_CERTS [1]. This series does not
     implement host policies though.


Ultimately, there are ways to push more of this into the module, and the
current design is kind of a tradeoff between the complexities of the
work needed in the guest, the host, and the TDX module. Like Rick said,
there were past versions that required way more work in the host and the
guest, such as managing the S3M, new GHCI calls, etc.

[1] Commit fa9893fadbc2 ("KVM: Introduce KVM_EXIT_SNP_REQ_CERTS for SNP
certificate-fetching"

> 

  reply	other threads:[~2026-07-04  5:43 UTC|newest]

Thread overview: 58+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-18  8:13 [PATCH v2 00/17] Enable DICE-based TDX Quoting Extension Xu Yilun
2026-06-18  8:13 ` [PATCH v2 01/17] x86/virt/tdx: Embed version info in SEAMCALL leaf function definitions Xu Yilun
2026-06-18 14:45   ` Dave Hansen
2026-06-22 12:05     ` Xu Yilun
2026-06-18  8:13 ` [PATCH v2 02/17] x86/virt/tdx: Configure add-on features on TDX module init and update Xu Yilun
2026-06-18 15:04   ` Dave Hansen
2026-06-24 12:00     ` Xu Yilun
2026-06-24 22:10       ` Peter Fang
2026-06-25  6:33         ` Xu Yilun
2026-06-23  8:43   ` Chao Gao
2026-06-25 10:50     ` Xu Yilun
2026-06-18  8:13 ` [PATCH v2 03/17] x86/virt/tdx: Detect if the extensions initialization is required Xu Yilun
2026-06-25  5:19   ` Tony Lindgren
2026-06-25 10:57     ` Xu Yilun
2026-06-29  6:33   ` Chao Gao
2026-06-30 11:10     ` Xu Yilun
2026-06-18  8:13 ` [PATCH v2 04/17] x86/virt/tdx: Add extra memory to TDX module for the extensions Xu Yilun
2026-06-29  7:56   ` Chao Gao
2026-06-30 10:27     ` Xu Yilun
2026-06-18  8:13 ` [PATCH v2 05/17] x86/virt/tdx: Make TDX module initialize " Xu Yilun
2026-06-18  8:13 ` [PATCH v2 06/17] x86/virt/tdx: Re-initialize the extensions on runtime TDX module update Xu Yilun
2026-06-29  8:12   ` Chao Gao
2026-06-30 11:14     ` Xu Yilun
2026-06-18  8:13 ` [PATCH v2 07/17] x86/virt/tdx: Initialize Quoting extension Xu Yilun
2026-06-29  8:33   ` Chao Gao
2026-06-30  5:20     ` Peter Fang
2026-06-18  8:13 ` [PATCH v2 08/17] x86/virt/tdx: Prepare Quote buffer during extension bringup Xu Yilun
2026-06-25  6:08   ` Tony Lindgren
2026-06-30  4:12     ` Peter Fang
2026-07-01 19:56   ` Dave Hansen
2026-06-18  8:13 ` [PATCH v2 09/17] x86/virt/tdx: Add interface to check Quoting availability Xu Yilun
2026-06-25  6:09   ` Tony Lindgren
2026-06-18  8:13 ` [PATCH v2 10/17] x86/virt/tdx: Move tdx_tdr_pa() up in the file Xu Yilun
2026-06-25  6:10   ` Tony Lindgren
2026-06-18  8:13 ` [PATCH v2 11/17] x86/virt/tdx: Add interface to generate a Quote Xu Yilun
2026-06-25  6:05   ` Tony Lindgren
2026-06-30  4:22     ` Peter Fang
2026-06-18  8:13 ` [PATCH v2 12/17] x86/virt/tdx: Reinitialize the Quoting extension after TDX module update Xu Yilun
2026-06-25  6:12   ` Tony Lindgren
2026-06-18  8:13 ` [PATCH v2 13/17] x86/virt/tdx: Enable Quoting extension Xu Yilun
2026-06-25  6:13   ` Tony Lindgren
2026-06-18  8:13 ` [PATCH v2 14/17] x86/tdx: Move and rename Quote request structure Xu Yilun
2026-06-25  6:15   ` Tony Lindgren
2026-06-18  8:13 ` [PATCH v2 15/17] KVM: TDX: Factor out userspace return path from tdx_get_quote() Xu Yilun
2026-06-25  6:16   ` Tony Lindgren
2026-06-18  8:13 ` [PATCH v2 16/17] KVM: TDX: Add in-kernel Quote generation Xu Yilun
2026-06-25 18:01   ` Sean Christopherson
2026-06-29 10:03     ` Peter Fang
2026-06-30  0:42       ` Sean Christopherson
2026-06-30 23:33         ` Edgecombe, Rick P
2026-07-01  0:24           ` Dan Williams (nvidia)
2026-07-01 17:25             ` Sean Christopherson
2026-07-01 18:45               ` Edgecombe, Rick P
2026-07-04  5:43                 ` Peter Fang [this message]
2026-07-06 17:57                   ` Sean Christopherson
2026-06-18  8:13 ` [PATCH v2 17/17] KVM: TDX: Support event-notify interrupts only with userspace Quoting Xu Yilun
2026-06-25  6:28   ` Tony Lindgren
2026-06-30  6:36     ` Peter Fang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260704054342.GB2169894@pedri \
    --to=peter.fang@intel.com \
    --cc=adrian.hunter@intel.com \
    --cc=baolu.lu@linux.intel.com \
    --cc=dave.hansen@intel.com \
    --cc=dave.hansen@linux.intel.com \
    --cc=djbw@kernel.org \
    --cc=kas@kernel.org \
    --cc=kishen.maloor@intel.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-coco@lists.linux.dev \
    --cc=linux-kernel@vger.kernel.org \
    --cc=rick.p.edgecombe@intel.com \
    --cc=seanjc@google.com \
    --cc=sohil.mehta@intel.com \
    --cc=tony.lindgren@linux.intel.com \
    --cc=x86@kernel.org \
    --cc=xiaoyao.li@intel.com \
    --cc=yilun.xu@intel.com \
    --cc=yilun.xu@linux.intel.com \
    --cc=zhenzhong.duan@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox